Despite threats, security not enough of priority at utilities

Critical infrastructure providers have been slow to respond to an increasing number of threats targeting industries such as power, oil, gas and water, according to a new report.

According to a joint study from McAfee and the Center for Strategic and International Studies (CSIS), which surveyed 200 IT security executives working at utilities in 14 countries, 40 percent believe their sector's vulnerability to attack has increased since last year.

The stats agree. Last year's version of the study found that roughly half of the respondents never faced a major denial-of-service attack or network intrusion. But this year, that number rose to 80 and 85 percent, respectively.

"One of the most startling results of our research is the discovery of the constant probing and assault faced by these critical utility networks," according to the report. "Some electric companies report thousands of probes every month."

Despite the risks, spurred on by the increasing connectivity of control systems to the public internet, some sectors only nominally increased their adoption rates of security measures compared to last year's study. The water and sewage industry saw a heftier spike, from 38 to 46 percent, but the energy sector's rate only rose from 50 to 51 percent.

But even with the increases, many of the entities surveyed are using only basic security controls, such as username and password for authentication. Only one in five are relying solely on tokens and three percent exclusively use biometrics.

Respondents also have been slow to implement technologies such as network activity monitoring (25 percent) and and anomaly detection (36 percent), which are critical to a robust network security posture, according to the report.

"Security remains a focus, and there's been some improvements, but they're pretty modest," Stewart Baker, a fellow at CSIS and one of the report's authors, told SCMagazineUS.com on Tuesday.

But he said he doesn't want the report to spread fear and panic. Even though many control systems may have been successfully penetrated, that doesn't mean the lights are going off tomorrow, he said.

"People can drop bombs on other countries, but they don't do it because it's not in their interest to do it," he said. "The only obvious motivation is extortion, but I think you'd have to be a brave criminal group to hold hostage an entire city. They better be pretty well protected because folks will come looking for you."

The purpose of the report, instead, is to encourage these industries to invest more heavily in security, especially in light of the Stuxnet worm, which showed that malware written specifically for control systems is real, Baker said.

Meanwhile, the rise of the smart grid, which can be connected to appliances and enable two-way communication between homes and utility companies, should encourage security to be part of the building process. However, according to the report, security currently is not a priority for the grid's designers.

"[Solutions] lie in both the policy realm and the science realm," Phyllis Schneck, chief technology officer and vice president of the public sector at McAfee.

On the technology side, the report recommends enhanced authentication, encryption, network monitoring and improved access controls. On the policy side, the report calls on increased public-private partnerships, which Schneck said could take the form of regulations and market incentives.